Wireless communication systems refer generally to any telecommunication system which enables wireless communication between the users and the network. In mobile communication systems users are capable of moving within the coverage area of the network. A typical mobile communications system is a public land mobile network (PLMN). The present invention can be used in different mobile communication systems, such as Universal Mobile Communication system (UMTS) and IMT-2000 (International Mobile Telecommunication 2000). In the following, the invention is described by way of example with reference to UMTS, more specifically to the UMTS system being specified in the 3rd generation partnership project 3GPP, without restricting the invention to it.
Information, such as control signalling and user data, is exchanged between a mobile station and the network infrastructure by means of data packets. Each data packet comprises at least a header and a data portion. The header may comprise an address for routing the data packet. When data is transmitted unciphered, the address can be changed, especially when the address is of IP-type (Internet Protocol) and the data transmission involves certain security problems.
FIG. 1 illustrates a situation where a third party MiM, a “man-in the-middle”, interferes with radio communication between mobile station MS2 and the network infrastructure over the air interface. In the present application the third party is referred to as an intruder. This term covers all kinds of unauthorized interference with communication over the air interface irrespective of whether the purpose of the interference is eavesdropping, disturbing communications by modifying, deleting, re-ordering, replaying, spoofing, or any other unexceptional operation. The intruder may for example interfere with unciphered radio communication by transmitting unauthorized copies of messages transmitted via a radio connection, change addresses of data packets sent from the mobile station MS2, filter data packets or send false messages and interfere with communication integrity.
The intruder MiM represents the network infrastructure (a base station BS2 and RNC2, i.e. RNS2, which are described below in FIG. 1), for the mobile station MS2 (the target user) and simultaneously represents a mobile station MS2 for the network infrastructure (the genuine base station BS2 (and RNC2)). The intruder MiM can take a passive role and simply eavesdrop the messages. The major problem is that the unciphered connection enables the intruder MiM to modify headers allowing the intruder to send and/or receive its own data over the connection of the MS2 without the mobile station MS2 (and the network side) noticing this. The intruder MiM simply lets all packets from MS2 go through and only modifies the headers of the packets (mainly protocol data unit PDU numbers) in order to be able to send its packets between packets sent from MS2. For downlink packets the intruder MiM filters its own packets off the data stream and lets packets to the MS2 go through with modified headers Thus the user of the MS2 does not notice the intruder and does not know that he has to pay also for the intruder's packets. The user of MS2 can notice this only afterwards from his bill.
One solution to this major problem is to authenticate each single data packet (message) by verifying the integrity of the data packet. This authentication is often called integrity protection and usually it does not include protection of confidentiality of the transmitted data. packets. To protect the integrity of a data packet, the sending party computes a message authentication code MAC-I value according to a predefined algorithm and appends it to the data packet before sending it. A MAC-I is typically a relatively short bit string, which depends on the data packet (message) to which it is appended and on a secret key known both by the sender and by the receiver of the data packet. The receiving party recomputes an XMAC-I value based (typically) on the message and the secret key according to the predefined algorithm, and compares the received MAC-I and the calculated XMAC-I. If they match, the receiver can trust that the data packet (message) is intact and sent by the supposed party.
The problem in the integrity protection is increased overhead in communication. Typically, the MAC-I value should be long enough to reduce the probability of guessing it right to a sufficiently low level compared with the benefit gained by one successful forgery. For example, using a 32-bit MAC-I value reduces the probability of a correct guess to 1/4 294 967 296, which is small enough for most applications. At the radio interface, however, 32 extra bits per packet is considered as a significant overhead and should be avoided whenever possible. That is why in UMTS, for instance, the integrity protection by added MAC-Is is applied only to signalling (on the control plane). When applying the integrity protection only to signalling, the intruder can modify the user data, and especially the headers, and send/receive his own data so that it is charged from the legal target user MS2. A similar problem may be encountered in any telecommunications system in which unciphered data transmission in the air interface is possible.